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Hi, I'm Dion 



I write programs for a living. 

This is about one (well, a few) I wrote for 

fun. 



Disclaimer 



This is a work-in-progress tool. 



Money and Fame and Cred 



Finding bugs is fun. 



One way to find bugs 



1. Find a specification 

2. Find the dirty corners 

3. Fuzz? 
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3. Audit the code that processes the wacky 

bits 



One way to find bugs 



rAudit the code that processes the wacl 

bits 



Goal 



I want a tool that can tell me which 
instructions process which parts of the 

input. 



Goal 



<html> 
<body> 
<blink> 
SHMOOOOOO ! 
</blink> 
</body> 
</html> 



Goal 
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Disclaimer: Unoriginal 



Not a new concept. 

But, nothing public that plugs into IDA (that 

I'm aware of). 



BaS04 



A collection of tools: 

1. Fine-grained execution trace collector 

2. Control dependence analysis 

3. Taint propagation analysis 

4. IDA plug-in 



BaS04 



Demo. 



BaS04 

1. Execution Trace 



Command Line 



Start Function 

Voidness 



Watchpoint Set 



Trace 



Voidness 



Trace collection. 

Execute the program and record process 
state after each executed instruction. 



Voidness 



NaYve way: 

Record all registers and any accessed 

memory after each instruction. 



Voidness 



A better idea: 

Maintain a shadow (cached) copy of 

memory and registers. 

Only record those registers/memory 
locations that don't match the cache. 

[1] Thanks, MSR. Nirvana project does this. 



Voidness 

Speed. 
This will be slow. 
But... how slow? 



Voidness 



Idea #1 



Attach a debugger and single step. 
(OllyDbg Run Trace) 



Voidness 



Idea #2 

Modify a system simulator (like qemu) to 
dump trace information. 

(BitBlaze'sTEMU) 



Voidness 



Idea #3 



Dynamic Binary Instrumentation 
(Dan Reynaud's Trace Surfer) 



Dynamic Binary Instrumentation 

Voidness is implemented as a Pin tool. 

Pin is the Intel Dynamic Binary 
Instrumentation (DBI) tool. 

Other options are DynamoRIO[i] and 

Valgrind. 

[1] The old Dynamo paper by HP is great. 



Voidness: Other Features 

Takes custom watchpoints: 

S : \Simple\Debug\Test001 . exe 

0x000113b0 

(@ (+ ESP 0x04) ) 

(+ ESP 0x08) 



Voidness: Other Features 



Takes an argument to specify trace begin 

scope. 



Voidness: Current State 



The simulation part of the caching is not 

implemented. 

Multiple threads are recorded in separate 
logs. No way to come up with a possible 

ordering. 



BaS04 

2. Static Analysis (i) 



IDA2Cfg.IDC 



Image fexe/dll") 

\ 

IDA 

\ 

CFGs 



BaS04 

2. Static Analysis (ii) 

CFGs 



analysis.db 

(Control 

Dependence 

Relations) 



Cfgs2Cds 



The Dominance Relation 



Entry 



If X appears on every path 

from Entry to Y, then 

X dominates Y 



j 




Exit 
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Entry 



Which nodes 
dominate 6? 




The Dominance Relation 



Entry 



Which nodes 
dominate 6? 




1 and 2 
(and 6) 



The Dominance Relation 



Entry 



What about 
8? 




The Dominance Relation 



Entry 



What about 
8? 




Justi 
(and 8) 



The Dominance Relation 

Entry 



Post dominance is calculated as 
dominance on the reversed CFG. 



Exit 



* 



The Dominance Relation 

Entry 



X is control dependent on Y if 
Y determines if X executes. 

Control dependence is 
calculated using post dominance. 



Exit 



* 



Control Dependence 



Entry 



Example: 

3 and 4 are 

control 

dependent 

on 2. 




BaS04 

3. Taint Propagation 

Execution Trace 



analysis.db 

(Control 

Dependence 

Relations) 



TaintAnalysis 



Taint Info 



Taint Propagation 



call readU32 

add eax, 0x20 

lea eax, [4 * eax] 

push eax 

xor eax, eax 

push eax 

call func 



IDA Plug-in 



Once taint info is computed, linking the 

byte offsets from the tainted input to 

logical chunks is next. 



Future 



Fusing multiple traces to get more accurate 
information and larger coverage. 

Finding a way to model the different types 

of taint. 



Questions?! 



Attribution 

Cat X-ray: 

http : //www. f lickr . com/pho to s/art-sar ah/34511 9755 



